share emails: Prohibit sharing posts the user cannot view.

Thanks to a report by Jordan Milne (/u/largenocream).
reddit-archive · Mar 1, 2014 · 959240a · 959240a
1 parent 2a285f8
commit 959240a
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
@@ -1534,6 +1534,8 @@ def POST_share(self, shareform, jquery, emails, thing, share_from, reply_to,
             pass
         elif shareform.has_errors("ratelimit", errors.RATELIMIT):
             pass
+        elif not sr.can_view(c.user):
+            return abort(403, 'forbidden')
         else:
             emails, users = emails
             c.user.add_share_emails(emails)